Current security approaches used on mobile phones such as PIN and passwords have
been proven to have weaknesses. These weaknesses include susceptibility to shoulder
surfing attacks and to smudge attacks. These kinds of security mechanics work on an
all-or-nothing basis, meaning that once a password is entered correctly, the user has
access to everything. Another weakness comes from the discrepancy between security
and usability; users tend to intentionally use weak passwords for the sake of usability.
The reason for this comes from the fact that the usage pattern of mobile devices is
characterized by small bursts of activity. This in turn leads the users to type their
passwords/PIN every time they want to use the phone. Moreover, users tend to not
use a password or PIN at all in some occasions. Advanced techniques like face and
fingerprint recognition can also be circumvented, they hinder usability, and they might
need special hardware. For example, fingerprint recognition needs a special sensor
and a fingerprint can be reconstructed relatively easy from a surface or even from a
photograph. Then, it can be used to access any fingerprint-secured device.
The solution to these problems is authenticating owners of mobile phones implicitly
using context. Implicitly means not requiring the user to perform any additional task,
but instead using the available data a mobile phone produces when users interact with
their phones. Context can include rich information such as location and device fingerprints,
but the interesting type of context is behavior analysis, which takes advantage
of the relation between a phone and its owner. Hence, contextual authentication aims
to increase both security and usability by authenticating users through the way they
interact with their phones rather than requiring them to perform specific tasks, such as
entering a password.
The purpose of this work is to explore the possibility of providing continuous
and implicit authentication from owner to mobile phone while assuring high accuracy
that can be acceptable in practical situations. We focus on utilizing movements that
are natural to phone usage. Natural movements happen when users are interacting
with their phones. This means that the solution should not require users to perform
any additional tasks to authenticate themselves, they should only use their phones.
Movements that are natural to the phone usage that we will investigate are (1) the way
users pick up their phones from a table, and (2) the micro-movements of the phone
when users interact with them. Both mentioned movements serve one of the established
goals which is "implicit authentication". The micro-movements serve another goal
which is "continuous authentication". Continuous authentication means that the user
is always being authenticated in the background, especially when the user wants to
access a critical function such as a banking app. An important aspect of the pick-up
motion is that it usually precedes any other interaction, meaning that the user needs
to first pick up the phone before starting to use it. Thus, the pick-up motion can serve
as a first line of defense. On the other hand, the micro-movements authentication can
serve as a second, and continuous, line of defense.
An important objective to accomplish is to extract features from the collected
data (such as average, standard deviation, amplitude, etc) that can be informative
of this data and then select some of these features that give a distinction to the two
motions and can be utilized to identify the owner of a mobile device. Another important
objective is to choose the right classification algorithm that suits these two types of
movements. In addition, classification algorithms usually have specific parameters
that need to be chosen carefully to get the best out of the produced model. The last
objective is to build a pattern recognition process that can correctly detect a pick-up
motion (regardless of the user) at the right time, otherwise the pick-up authentication
mechanism would be useless.
The first step of this work was to build a simple Android app to collect sensor
data (accelerometer and orientation sensor). A group of participants were asked to
pick up the phone from a table and type on the phone multiple times while the app
collected the acceleration on X, Y, and Z axes and the orientation angles Yaw, Pitch,
and Roll. This data then was manually analyzed and it was apparent that there are noticeable differences between different users. Then, machine learning was used to
build a classification model. The model included two classes: owner and non-owner.
When new data is supplied to the model, it can predict to which class the current user
belongs. To this end, two algorithms were used: Dynamic Time Warping (DTW) for
the pick-up motion, and Support Vector Machine (SVM) for the micro-movements.
Raw sensor data were used with DTW to build a model. In the case of SVM, multiple
features were extracted from sensor data to help build the model. Subsequently, a test
was performed to evaluate the accuracy of the model. For this purpose, a prototype
was created (Android app) to perform the tests. During the test, participants would
pick up the phone or type, and the app would display the algorithm decision. The
results showed that those two motions can successfully be used to differentiate between
the owner of the device and intruders. The pick-up motion achieved 3.3% FRR and
0% FAR. The micro-movement achieved 9.5% FRR and 9.2% FAR for the Polynomial
kernel and 6.8% FRR and 12.3% FAR for the Sigmoid kernel.